NetEqualizer News Blog

Editors Note:

This paragraph written by Michael W. Lucas, was a lead into to a nice testimonial for a PFsense firewall.  For anybody that is in the IT consulting this first part is classic Dilbert.

Found in pfsense.org

My friends and co-workers know that I build firewalls. At least once a month someone says “My company needs a firewall with X and Y, and the price quotes I’ve gotten are tens of thousands of dollars. Can you help us out?”

Anyone who builds firewalls knows this question could be more realistically phrased as “Could you please come over one evening and slap together some equipment for me, then let me randomly interrupt you for the next three to five years to have you install new features, debug problems, set up features I didn’t know enough to request, attend meetings to resolve problems that can’t possibly be firewall issues but someone thinks might be the firewall, and identify solutions for my innumerable unknown requirements? Oh, and be sure to test every possible use case before deploying anything.

Continuing the constant evolution of the NetEqualizer line, we’re pleased to offer the most recent NetEqualizer software release – Carrier Class 4.0. In addition to providing the features and quality found in past NetEqualizer releases, among its many enhancements Carrier Class 4.0 will now support three times as many shaping buffers, translating into smoother shaping for up to tens of thousands of users.

For example, you will be able to take a one-gigabit pipe and break off 1,000 users into a subnet mask to share 100 megabits (with smoother results than current versions). Most routers that break out chunks of bandwidth use harsh rate control methods such as dropping packets when the limit is reached. Although there will be a small margin of error, the optimizations and techniques used to break off larger chunks of bandwidth and shape them smoothly without dropping packets rivals that of carrier class shapers sold for 10 times our cost.

The following features and enhancements will also be available with Carrier Class 4.0:

• Full one- to 32-bit mask fields for hard limits  — You can now take any IP address and specify a mask in x.x.x.x/y format where y is the number of bits you wish to mask. All IP addresses in the masked range will receive the specified hard limit (Hard limits are individual rate limits for an IP address).
• Pools support masks – You can now add members to a bandwidth pool using a mask field of the form x.x.x.x/y, Y can range from one to 32. The NetEqualizer will automatically add members of the range specified as they become active and retire them if they become inactive. This optimization will allow users to specify large ranges without overwhelming the system.
• Full one- to 32-bit masking for traffic masking – You can now use the NetEqualizer masking function with odd numbered mask specifications, prior to this release only /24 and /16 masks were allowed.
• Pool number displayed in active connection table – You can now see if a connection is part of a pool, the pool number will be displayed in the last column of the connection table.
• Release 1.0 of our URL-based blocking feature – Now you can block a list of URL’s. This feature is commonly used by libraries and private institutions where there is a mandate to block particular recreational sites. In the initial release, customers need only supply a config file with all URLs by name that they wish to block and then hit the start button. In future releases, we will be contracting with providers that supply updated lists on a regular basis. There will be no charge to enable our URL-blocking feature, however there will likely be subscription charges to use third party URL lists.
• Connection limit masks now fully supported – You can specify a connection limit mask of the form x.x.x.x/y where y is an int from one to 32. Prior to this release, only /24 and /26 were supported.
• New Automatic detection of license overruns – The NetEqualizer will now automatically report any new license overruns. Any time you log into the GUI, a message will be displayed indicating how many license overruns you may have incurred since your last reboot. If you do see a license overrun, you should call support and see about upgrading your license.
• New license levels available for enforcement in kernel
• URL-based shaping

For more information on the Carrier Class 4.0 update, contact us at admin@apconnections.net or 303-997-1300.

# The following script can be used with your NetEqualizer to block a set of URL’s of your choosing

# save the script below into a file in the /art directory , we named ours blockstuff.pl

# then create a file with URL’s  you wish to block,one per line in the same directory as this perl script

# you’ll need a NetEqualizer version 4.0 or higher

#!/usr/bin/perl -w

#
$| = 1;

if(scalar(@ARGV) < 1){
print “Usage: $0 <file name with urls to block> \n”;
exit 1;
}

open (SPECIAL, “< $ARGV[0]“) || die “openning  url file in block stuff problem”;

while ($line=<SPECIAL> )
{
chomp($line);
print ” blocking $line \n”;

$search_phrase = $line;

if ( -e “/usr/bin/nslookup”)
{
print ” calling  nslookup for $search_phrase \n”;
$data=`/usr/bin/nslookup $search_phrase`;
open (LOGF, “>> /tmp/arblog”) || die “opening log file “;
# uses same log file as NetEq process not sure if this a good idea ?
print “$data data \n”;
chomp($data);
@foo= split(/[\s#]+/, $data);
$counter=6;
while ( $counter  < @foo)
{
$counter= $counter+1;
if ( exists $foo[$counter] ) {
if ($foo[$counter] =~ /(\d+)(\.\d+){3}/)
{
print ” $foo[$counter] is an IP \n”;
# ADD_CONFIG CONNECTION x.x.x.x/y val porti direction optional_commenta
system (“/art/ADD_CONFIG CONNECTION $foo[$counter]/32 1 0  1 $line “);
print LOGF “putting block on site $search_phrase IP $foo[$counter] \n”;
}
else
{
print LOGF “problem with version of NS lookup could not find valid IP for $search_phrase \n”;
}
}
}
}
else
{ print “need nslookup utility to run this command part of dnslib package debian\n”;
exit 1;
}
}
# While there’s a URL in our queue which we haven’t looked at …

Editors notes: The following excerpt was pulled from the Resnet User Group Mailing list Oct 17 , 2009

Most subscribers to this user group are IT directors or adminstrators for large residence networks at various  universities. Many manage upwards of tens of thousands of Internet users.   If you are an ISP I would suggest you subscribe to  this list and monitor  for ideas.  Please note vendor solicitation is frowned upon on the Resnet list

As for the post below The first part of the post is Dennis’s recommendation for a good bandwidth shaper, he uses a carrier grade Cisco product.

The second part is a commentary on the fallacy of layer 7 shaping. No we do not know Dennis nor does he use our products , he just happens to agree with our philosophy after trying many other products.

Dennis OReilly <Dennis.OReilly@ubc.ca
reply-to Resnet Forum <RESNET-L@listserv.nd.edu> to RESNET-L@listserv.nd.edu date Sat, Oct 17, 2009 at 12:35 AM subject Re: Packet Shaping Appliance unsubscribe Unsubscribe from this sender

At the University of British Columbia we own and still use four PS10000’s.   A year ago we purchased a Cisco SCE 2020 which has 4 x 1G interfaces.  The SCE 2020 is approx the same price point as the PS10000.  There is also an SCE 8000 model which has 4 x 10G interfaces, also at a decent price point.

Oregon State brought the SCE product line to our attention at Resnet Symposium 2007.  A number of other Canadian universities recently purchased this product.

The SCE is based on P-Cube technology which Cisco acquired in 2004.

In a nutshell comparing the SCE to the PS10000:
- PS10000 reporting is much superior
- PS10000 and SCE are approx equal at ability to accurately classify P2P
- SCE is essentially a wire speed device
- SCE is a scalable, carrier-grade platform
- Installation of SCE is more complicated than PS10000
- SCE has some capability to identify and mitigate DoS and DDos attacks
- SCE handles asymmetric routing
- SCE has fine grained capabilities to control bandwidth

It is becoming more and more difficult over time for any packet shaping device like a Packetshaper, or a Procera, or an SCE to accurately classify P2P traffic. These days the only way to classify encrypted streams is through behaviorial analysis.  In the long run this is a losing proposition.  Thus, approaches like the NetEqualizer or script-based ‘penalty box’ approaches are better.   However, boxes like the SCE which have excellent capabilities to control bandwidth on a per user basis are also viable.  Otherwise the carriers wouldn’t be using these products.

Just got this e-mail in unsolicited from a customer. We hear this all the time.

The context of the thread was that our customer had just gotten back from a convention and had told a couple of their peer companies (Canadian Cable Operators) about the NetEq and his improved margins.

Ya I’m sure they have to go home and pitch the deal to the management but
they are soooo wasting bandwidth.

6500 customers using 250M sustained

We on the other hand have 4000 using 60M sustained

Crazy!

We recently received an e-mail regarding this question from a customer, here is the basic dialogue with our answer below.

It occurred to me today…..pre netequalizer, I’d know that it was time to upgrade our network bandwidth by watching the network traffic graphs.  If there were periods of the day that the connection was maxed out it was a good sign that more bandwidth was needed.

Now that our traffic is running through netequalizer, with the threshold limit and then slowing of user connections beyond that point, we’ll not see the graph max out any more will we?  And if we did ever see that, we’d be way past the point of needing more bandwidth, because it would mean that our link was so saturated that netequalizer couldn’t slow down enough traffic fast enough to avoid that situation.

Answer: We actually do have systems that run very close to pegged(Max) for
hours at a time without complaint. Generally we would suggest waiting
until user perception for the speed of normal sized web pages and short
e-mails is perceived as slow. NetEqualizer does a very good job of allowing your network to run close to capacity without experiences adverse side effects so in essence it would be premature to add more bandwidth based on hitting peak usage.

Note: If you ask your sales rep for your local bandwidth provider if you should purchase more bandwidth, they will almost always recommend adding more solve almost ato ny issue on your network. Your provider whether it be Quest, Comcast, Time Warner or a host of other local providers,  most likely has a business model where they grow profit by selling bandwidth; hence their sales staff really is not incented to offer alternatives. Occasionally when it is physically impossible to bring more bandwidth to your business they will relent and offer a referal for a bandwidth opimization company.